package org.springframework.security.config.annotation.web.configurers.oauth2.client;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import java.util.function.Function;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.4.6.jar:org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthenticationProvider.class */
final class OidcBackChannelLogoutAuthenticationProvider implements AuthenticationProvider {
    private JwtDecoderFactory<ClientRegistration> logoutTokenDecoderFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcBackChannelLogoutAuthenticationProvider() {
        Function function = clientRegistration -> {
            return JwtValidators.createDefaultWithValidators(new OAuth2TokenValidator[]{new OidcBackChannelLogoutTokenValidator(clientRegistration)});
        };
        this.logoutTokenDecoderFactory = clientRegistration2 -> {
            String jwkSetUri = clientRegistration2.getProviderDetails().getJwkSetUri();
            if (!StringUtils.hasText(jwkSetUri)) {
                OAuth2Error oAuth2Error = new OAuth2Error("missing_signature_verifier", "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration2.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", (String) null);
                throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
            }
            DefaultJOSEObjectTypeVerifier defaultJOSEObjectTypeVerifier = new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{null, JOSEObjectType.JWT, new JOSEObjectType("logout+jwt")});
            NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwtProcessorCustomizer(configurableJWTProcessor -> {
                configurableJWTProcessor.setJWSTypeVerifier(defaultJOSEObjectTypeVerifier);
            }).build();
            build.setJwtValidator((OAuth2TokenValidator) function.apply(clientRegistration2));
            build.setClaimSetConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverter());
            return build;
        };
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!(authentication instanceof OidcLogoutAuthenticationToken)) {
            return null;
        }
        OidcLogoutAuthenticationToken oidcLogoutAuthenticationToken = (OidcLogoutAuthenticationToken) authentication;
        String logoutToken = oidcLogoutAuthenticationToken.getLogoutToken();
        ClientRegistration clientRegistration = oidcLogoutAuthenticationToken.getClientRegistration();
        Jwt decode = decode(clientRegistration, logoutToken);
        return new OidcBackChannelLogoutAuthentication(OidcLogoutToken.withTokenValue(logoutToken).claims(map -> {
            map.putAll(decode.getClaims());
        }).build(), clientRegistration);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OidcLogoutAuthenticationToken.class.isAssignableFrom(cls);
    }

    private Jwt decode(ClientRegistration clientRegistration, String str) {
        try {
            return this.logoutTokenDecoderFactory.createDecoder(clientRegistration).decode(str);
        } catch (BadJwtException e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_request", e.getMessage(), "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"), e);
        } catch (Exception e2) {
            throw new AuthenticationServiceException(e2.getMessage(), e2);
        }
    }

    void setLogoutTokenDecoderFactory(JwtDecoderFactory<ClientRegistration> jwtDecoderFactory) {
        Assert.notNull(jwtDecoderFactory, "logoutTokenDecoderFactory cannot be null");
        this.logoutTokenDecoderFactory = jwtDecoderFactory;
    }
}
